,

Role-Based Access Control (RBAC) Is Not Working in Databricks

Posted by

Introduction

Role-Based Access Control (RBAC) in Databricks Unity Catalog allows administrators to manage user permissions on catalogs, schemas, tables, and clusters. However, RBAC failures can result in unexpected access denials, inability to assign roles, or missing resources for certain users.

🚨 Common RBAC issues in Databricks:

  • Users cannot access Unity Catalog objects (catalogs, schemas, or tables).
  • Permission denied errors (PERMISSION_DENIED) appear in SQL queries.
  • RBAC roles (like Owner, Reader, or Editor) do not apply correctly.
  • Group-based permissions do not reflect in Databricks workspace.

This guide covers troubleshooting steps and solutions for RBAC issues in Databricks.


1. Verify That Unity Catalog RBAC Is Enabled

Symptoms:

  • RBAC roles do not appear in the Databricks workspace UI.
  • RBAC permission settings are missing from Admin Console.
  • Users can access all data despite applied role restrictions.

Causes:

  • Unity Catalog must be enabled for RBAC to work.
  • RBAC is not supported for legacy Hive Metastore.

Fix:

Check if Unity Catalog is enabled:

SHOW CATALOGS;
  • If only hive_metastore appears, Unity Catalog is not enabled.

Enable Unity Catalog by creating a metastore:

databricks unity-catalog metastores create --region <region> --s3-bucket <s3-bucket-name>

Assign Unity Catalog to the workspace:

databricks unity-catalog metastores assign --metastore-id <metastore-id> --workspace-id <workspace-id>

Ensure users are working with Unity Catalog objects and not Hive Metastore.


2. Check User Permissions for Unity Catalog Objects

Symptoms:

  • Error: “Permission denied: Cannot access catalog/schema/table.”
  • Users cannot list catalogs, schemas, or tables in Unity Catalog.
  • Roles like OWNER, SELECT, MODIFY do not apply correctly.

Causes:

  • Users do not have explicit permission on Unity Catalog objects.
  • Admin access does not automatically grant access to all objects in Unity Catalog.
  • Permissions assigned at the wrong level (schema instead of catalog or table).

Fix:

List user permissions on a catalog:

SHOW GRANTS ON CATALOG my_catalog;

Grant the correct permissions to users or groups:

GRANT USE CATALOG ON CATALOG my_catalog TO `user@example.com`;
GRANT USE SCHEMA ON SCHEMA my_schema TO `user@example.com`;
GRANT SELECT ON TABLE my_catalog.my_schema.my_table TO `user@example.com`;

To grant full access, assign ownership:

GRANT OWNERSHIP ON CATALOG my_catalog TO `user@example.com`;

Ensure that group-based permissions are applied correctly.

GRANT SELECT ON TABLE my_table TO `my_group`;

If using Azure AD groups, sync groups with Databricks:

databricks groups list

If a group is missing, manually sync users from Azure AD.


3. Group-Based RBAC Not Working

Symptoms:

  • Users assigned to a Databricks group do not inherit permissions.
  • Group permissions do not apply to catalogs, schemas, or tables.
  • Azure AD or AWS IAM group roles are not reflected in Databricks.

Causes:

  • Groups are not correctly synced between Identity Provider (IdP) and Databricks.
  • Users are not recognized as part of the group in Databricks.
  • Permissions were assigned before the user joined the group.

Fix:

Verify if the group exists in Databricks:

databricks groups list

Check if the user is part of the group:

databricks groups get --group-name my-group

If missing, manually add the user to the group:

databricks groups add-member --group-name my-group --user-name user@example.com

Ensure group-based permissions are applied correctly:

GRANT SELECT ON TABLE my_catalog.my_schema.my_table TO `my_group`;

If using Azure AD groups, sync with Databricks:

az ad group member add --group my-group --member-id <user-object-id>

For AWS IAM, attach the correct role to the Databricks workspace.


4. RBAC Permissions Not Applying in Clusters or SQL Warehouses

Symptoms:

  • RBAC permissions work in some clusters but not others.
  • SQL Warehouse users cannot access Unity Catalog objects.
  • Cluster-scoped permissions override Unity Catalog RBAC.

Causes:

  • Clusters must be Unity Catalog-enabled for RBAC to work.
  • SQL Warehouses need Unity Catalog permissions assigned separately.
  • Hive Metastore clusters do not support RBAC (only Unity Catalog does).

Fix:

Ensure the cluster supports Unity Catalog:

  1. Go to Databricks UI → Clusters
  2. Edit Cluster → Advanced Options → Enable Unity Catalog

Check if SQL Warehouse has the right permissions:

GRANT USAGE ON CATALOG my_catalog TO `user@example.com`;

Restart the cluster or SQL Warehouse after applying RBAC changes.


5. Cannot Grant Privileges Due to Missing Ownership

Symptoms:

  • Error: “User does not have ownership privileges to grant permissions.”
  • Admin users cannot grant permissions on existing objects.

Causes:

  • Only the OWNER of an object can grant permissions (admins do not override ownership).
  • The object was created by another user, who is still the owner.

Fix:

Check the current owner of the catalog, schema, or table:

SHOW GRANTS ON CATALOG my_catalog;

Change ownership to an admin user if necessary:

GRANT OWNERSHIP ON CATALOG my_catalog TO `admin@example.com`;

Once ownership is assigned, grant privileges:

GRANT USAGE ON CATALOG my_catalog TO `user@example.com`;

6. Cannot See Unity Catalog Objects in UI

Symptoms:

  • Users do not see catalogs, schemas, or tables in the UI.
  • Running SHOW CATALOGS; returns empty results.

Causes:

  • Users do not have the USE CATALOG permission.
  • RBAC settings restrict visibility to specific users.

Fix:

Grant catalog access explicitly:

GRANT USE CATALOG ON CATALOG my_catalog TO `user@example.com`;

If using a group, grant permissions at the group level:

GRANT USE CATALOG ON CATALOG my_catalog TO `my_group`;

Ensure workspace permissions allow users to see catalogs.


Step-by-Step Troubleshooting Guide

Step 1: Verify Unity Catalog Is Enabled

SHOW CATALOGS;
  • If only hive_metastore appears, Unity Catalog is not enabled.

Step 2: Check User Permissions

SHOW GRANTS ON CATALOG my_catalog;
  • Ensure the user has USE CATALOG and SELECT permissions.

Step 3: Check Group Memberships

databricks groups get --group-name my-group
  • Ensure the user is part of the correct Databricks group.

Step 4: Ensure Clusters and Warehouses Are Unity Catalog-Enabled

  • Restart clusters and enable Unity Catalog in cluster settings.

Step 5: Change Ownership if Needed

GRANT OWNERSHIP ON CATALOG my_catalog TO `admin@example.com`;

Best Practices for RBAC in Databricks Unity Catalog

Use Group-Based RBAC Instead of User-Based Permissions

  • Manage permissions at the group level rather than assigning them per user.

Regularly Review User and Group Permissions

SHOW GRANTS ON CATALOG my_catalog;

Ensure Clusters and Warehouses Support Unity Catalog

  • Legacy clusters do not support RBAC in Unity Catalog.

Sync Azure AD or AWS IAM Groups With Databricks

  • Ensure identity provider (IdP) groups are reflected in Databricks.

Conclusion

If RBAC is not working in Databricks, ensure:
✅ Unity Catalog is enabled.
✅ Users have explicit USE CATALOG and SELECT permissions.
Clusters and SQL Warehouses support Unity Catalog.
Group-based permissions are correctly assigned.
Ownership is properly configured for managing permissions.

By following this guide, RBAC in Databricks Unity Catalog will function correctly.

guest
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x